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Abstract: This research aims to explain certain aspects of the complex legal system of 
personal data protection. The paper is based on the analysis of domestic and EU regulations 
that regulate the rights of citizens to the protection of personal data. The paper provides an 
overview of the obligations that must be fulfilled by tourism entities in order to ensure that 
the processing of personal data is carried out in accordance with the law. In addition, the 
risks associated with the processing of personal data and the possibility to ensure the security 
of data processed by providers of tourist services are listed. The research showed that there 
are many open questions in the tourism sector regarding the implementation of regulations 
on the protection of personal data. 
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ZaStita podataka o licnosti u turisti¢kom sektoru 


Sazetak: Ovo istrazivanje ima za cilj da objasni pojedine aspekte slozenog pravnog sistema 
zastite podataka o li¢nosti. Rad se zasniva na analizi propisa koji na evropskom i 
nacionalnom planu regulisu prava gradana na zaStitu li¢nih podataka. U radu je dat pregled 
obaveza koje treba da ispune turisticki subjekti kako bi se osiguralo da se obrada podataka 
fizi¢ékih lica vrsi u skladu sa zakonom. Osim toga, navedeni su i rizici povezani sa obradom 
li¢énih podataka i moguénosti da se obezbedi bezbednost podataka koje obraduju pruzaoci 
turisti¢kih usluga. Istrazivanje je pokazalo da u turisti¢ékom sektoru ima dosta otvorenih 
pitanja u vezi sa implementacijom propisa o za&titi li¢énih podataka. 


Kl]jucne re¢i: podaci o li¢nosti, fiziéka lica, zaStita, turizam 
JEL klasifikacija: K10, Z30 


1. Introduction 


One of the consequences of information technologies development in the last twenty years is 
the increase in the importance of information and data. Technological advances have made it 
possible to digitally collect vast amounts of data and then transmit, process, and transmit it 
across a global network. Businesses of companies are increasingly focused on adapting their 
products and services to the needs of consumers and using information from and about 


* slucic @jura.kg.ac.rs 


©) BY This article is an open access article distributed under the terms and 


conditions of the Creative Commons Attribution (CC BY) license 
(http://creativecommons.org/licenses/by/4.0/). 


193 


Lucicé, S. — Protection of personal data in the tourism sector — 
Hotel and Tourism Management, 2023, Vol. 11, No. 1: 193-206. 


potential and existing consumers for this purpose. In the course of technological progress, 
there is a constant transfer of data in social life. After an online purchase or online 
reservation of services, the system remembers information and data transfer. Based on these 
data, similar products or services can be recommended to the user and the company can 
increase its sales or service provision. Data processing is therefore an important success 
factor, especially in business. The term “processing” includes, among other things, the 
collection, storage, modification, deletion, dissemination, disclosure through transmission 
and use of personal data (Chatzopoulou, 2021, p. 125). 


The transmission and automatic processing of data have their downsides. If the data is further 
processed without protection, the information may be freely available to third parties. In this 
way, misuse of data can easily occur. Given that globalization and related social changes 
lead to strong networking, it is important to protect data. Data protection generally refers to 
regulations aimed at protecting personal data and preventing misuse of data by third parties. 
Since many areas of society are affected, there are different data protection principles. 


Defining the concept of data and protection of personal data is not an easy task. Different 
meanings are used for these terms today. Data protection means the protection of information 
that is not intended for the general public. Personal data contains information that directly or 
indirectly relates to a natural person. In this sense, personal information is, for example, first 
and last name, nickname, e-mail address, citizenship, data from a passport or identity card, 
travel visas, and data from a health record. However, data protection is not only limited to 
the protection of personal data. It also includes the protection of an individual’s freedom to 
decide for himself what will happen to his data and when it can be processed. On the one 
hand, data protection protects citizens from misuse of their personal data. On the other hand, 
it includes the right of citizens to informational self-determination. 


Information self-determination is a topic that is becoming increasingly important in the age 
of digitization and information technologies. Informational self-determination contains two 
rights: the right of every person to disclose information about himself and the right to freely 
decide not to disclose it. In addition, every person has the right to decide what will happen to 
their data and what it should not be used for. Although the right to informational self- 
determination is not yet explicitly established by the constitutions of most countries, 
including ours, according to judicial practice, it represents a basic right to data protection and 
an expression of the general right to personality. The judgment on the census of the German 
Federal Constitutional Court was crucial for the establishment of the right to informational 
self-determination (Judgment of the First Senate of 15 December 1983 - 1 BvR 209/83). The 
reason for this judgment was the census planned in the first half of 1983 in the Federal 
Republic of Germany. The State wanted to collect a lot of personal data in the census under 
the “Census Act’, including detailed information about family and civil partnerships, 
housing situation, educational and vocational training and employment, professional status, 
working hours and commute. Several constitutional appeals were filed against the planned 
census, which ultimately led to the so-called census verdict. In this, not only the illegality of 
the planned census was determined, but also the law on the census was declared 
unconstitutional. Referring to the general right of personality as a constitutional right, this 
judgment established the right of citizens to informational self-determination. 


Today, a large amount of data is also processed in the tourism sector. Based on the analysis 
of EU regulations and domestic regulations on the protection of personal data, the following 
hypotheses were formulated: 


H,: Tourism companies must respect certain principles when processing personal data. 
H,: As a rule, travel companies may not process special categories of personal data. 
H;: Travel companies must respect the rights of natural persons concerning personal data. 
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2. Materials and methods 
2.1. Personal data protection in the European Union 


The area of personal data protection at the EU level was first regulated in 1995 (Andonovié 
& Prija, 2020, p. 119). In the meantime, various external and internal factors, such as the 
increasing use of the Internet, the development of information and communication 
technologies, the increasing use of data in business, and significant violations of privacy 
rights have influenced the need to regulate this area in detail (Andonovi¢é & Prlja, 2020, p. 
119). In this sense, the General Data Protection Regulation (hereinafter: GDPR) was adopted 
in the EU on April 27, 2016. This Regulation, which came into force on May 25, 2018, is a 
far-reaching, uniform and a partially new law on data protection with direct application 
throughout the EU. This regulation is of great importance, especially with regard to 
increasingly advanced digitalization as one of the characteristics of the 21st century. Before 
the entry into force of this Regulation, especially in cross-border traffic, there was legal 
uncertainty regarding the protection of personal data, both on the side of consumers and on 
the side of business entities (Feiler & Forg6, 2016, p. 5). 


The goal of adopting the General Regulation is to standardize data protection in the EU and 
thus create the same data protection standards for all member states. In addition to the direct 
application of the GDPR, member states have the freedom to regulate certain issues, e.g. 
from which year a minor can effectively consent to the processing of his personal data or 
whether fines can be imposed on authorities and public bodies (Feiler & Forg6, 2016, p. 6). 
On the other hand, GDPR does not provide definitive solutions in all areas. Hence, judicial 
practice, especially of the EU Court of Justice, is of great importance in regulating the 
protection of personal data in the EU (Fercher & Riedl, 2016, p. 31). However, based on 
additional information, the Internet provider could identify this visitor. In this case, the 
identity of the website visitor can at least be determined, which means that the provisions of 
the GDPR apply to him/her (Feiler & Forgé, 2016, p. 4). For example, when registering on a 
certain online platform, a natural person does not provide his/her name or any other 
information, except his/her e-mail address. However, based on this data, that natural person 
can be identified. 


GDPR regulates data protection of natural persons. In other words, legal entities are excluded 
from the scope of the GDPR, unless the company name, for example, contains the name of a 
natural person. However, in the tourism industry, companies store the contact details of their 
partners, which is why the data related to this entry is covered by the GDPR. 


The GDPR does not apply to the protection of personal data that is used exclusively for 
private purposes. These family or private activities include, for example, using social 
networks exclusively for private purposes (Hladjk, 2016, p. 40). This means that if, for 
example, an employee of a hotel forms a Viber group for planning joint leisure activities, 
while the employer does not influence the content or participants of this group, then this 
form of communication is not covered by the GDPR. 


In a territorial sense, the GDPR applies to all processing of personal data within the business 
activities of entities based in the EU, regardless of whether the processing is carried out in 
the territory of the EU or outside it (Andonovié & Prija, 2020, p. 122). However, the 
provisions of the GDPR also apply to data processing carried out by companies based 
outside the EU but processing personal data of EU citizens, or to companies based outside 
the EU but with one or more branches in the EU. In this way, the territorial application of the 
GDPR is largely extended to countries that are not members of the EU, but that have strong 


195 


Lucié, S. — Protection of personal data in the tourism sector — 
Hotel and Tourism Management, 2023, Vol. 11, No. 1: 193-206. 


economic cooperation with its market. This includes the Republic of Serbia, which, among 
other things, has good tourism cooperation with entities on the territory of the EU. 


The GDPR protects all personal data, both those processed manually and those processed 
electronically or through video surveillance. 


2.2. Personal data protection in Serbia 


Our country recognized in time the need to protect personal data. In 2018, the Personal Data 
Protection Act (hereinafter PDPA — The Law on Personal Data Protection - Official Gazette 
of the RS No. 87/2018) was adopted in Serbia, which replaced the previous law that has been 
in force since 2008. The PDPA regulates the right to protection of natural persons in 
connection with the processing of personal data, the principles of processing, the rights of 
persons to whom the data refer, the obligations of the processor of personal data, the transfer 
of personal data to other countries. The PDPA is largely aligned with the GDPR. However, 
in relation to the GDPR, our Law does not contain a preamble, foresees milder sanctions, and 
does not regulate video surveillance issues. The PDPA establishes a personal data protection 
system regardless of whether it is applied by persons under private or public law. In this 
sense, the PDPA also obliges tourist subjects, such as, for example, travel agencies, hotels, 
restaurants, airlines. These entities collect various types of data, such as customers’ first and 
last names, addresses, unique identification number, number passports, nutritional 
information, medical condition or even religious affiliation (Kedzior & Sadowska, 2019, p. 
71). In certain situations, these entities transfer data, for example a travel agency transfers 
data to a hotel, airline or insurance company. 


The obligation to protect personal data also exists within the so-called smart tourism 
activities (Gretzel et al., 2015, p. 42). Unlike e-tourism, which digitally connects individuals 
with travel companies, smart tourism is based on the application of artificial intelligence, 
cloud computing, the Internet of Things (Buhalis, 2020, p. 268). Thanks to these 
technologies, tourists can experience a better, higher quality and more interactive trip (Garcia 
et al., 2018, p. 168). 


The PDPA does not provide for special regulations relating to certain areas of social life. In 
other words, the Law does not introduce any special conditions for data processing that 
would be more or less strict compared to other sectors. In the continuation of the paper, an 
overview of certain provisions of this law will be given, which are of importance for the 
obligations of tourism entities with regard to the protection of personal data that they 
encounter in their work. 


3. Implementation of regulations on the protection of personal data in 
the tourism sector 


3.1. Principles of personal data processing 


Companies must follow certain principles when processing personal data. Random and 
unplanned data collection is not allowed. Personal data can only be processed legally, for 
specific purposes and in a factually correct manner. The volume of data processed should 
correspond to the purpose of the processing. It is questionable whether online retailers, for 
example, absolutely need a phone number to be able to process an order. However, this does 
not apply to companies that provide travel services. After fulfilling the purpose of 
processing, personal data must be deleted. 
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Data protection includes technical and organizational measures that the company must 
implement. Employees must be committed to confidentiality and respect for data protection. 
When working with personal data, companies must pay special attention to the principles of 
processing established by law. 


The basic principle of personal data processing is the legality of the processing. The PDPA 
in Art. 12 lists the possible legal bases for processing personal data. The first and most 
common legal basis for processing personal data is the consent of the natural person, i.e. data 
subject. Consent can be given in writing or electronically by clicking on a specific website. 
However, subscribing to the newsletter on the travel company’s website does not constitute 
consent to data processing (Pollirer et al., 2017, p. 32). The request for consent must be 
written in clear and understandable language and must be distinguished from other facts, 
such as references to other data protection information (Kastelitz, 2017, p. 110). Consent 
must often be given for each processing separately, if the information being processed differs 
from one another. For example, when checking in to a hotel, the consent to send 
advertisements electronically and the consent to process the passenger’s health data must not 
be contained in the same form. 


The subject whose data is being processed can revoke his consent at any time. Unlike the 
GDPR, which stipulated that a minor who has reached the age of 16 can independently give 
consent for the processing of personal data, our PDPA lowered that limit to 15 years of age. 
This means that the consent to send the newsletter of the children’s resort to a child who has 
e.g. 13 years old can only be given by a parent or legal representative. 


The most common legal basis for the processing of personal data in the tourism sector is that 
the processing is necessary for the purpose of executing a contract or undertaking actions 
leading to the conclusion of a contract. In particular, data about the address of a guest who 
ordered an information bulletin from a travel company can be entered and saved in the user’s 
file for the processing of the order process. 


The legal basis for processing personal data is also the legal obligation of the data handler. 
The Law on Hospitality of the RS in Art. 7, paragraph 1, point 17 prescribes that the caterer 
is obliged to enter data about the user of the accommodation service daily and regularly in 
the prescribed manner. In addition, the same Law in Art. 15 stipulates that the caterer who 
provides the accommodation service is obliged to enter data about the user of the 
accommodation service through the central information system, in the prescribed manner. 
For domestic citizens, these data usually include “name and surname, day, month and year of 
birth and residential address” (The Law on Hospitality, Art. 15, Par. 2). For foreign 
nationals, these data include “name and surname, day, month and year of birth, citizenship, 
type, number and date of issuance of the foreign travel document” (The Law on Hospitality, 
Art. 15, Par. 3). The above data is entered by the caterer through the central information 
system (E-tourist) based on the data from the identity card, travel document or other public 
document with a photo. Through this system, registration and de-registration of tourists is 
carried out, tourist taxes are paid and facilities are categorized. This system gathers all data 
on caterers and catering establishments in the Republic of Serbia. All the above data are 
collected based on legal obligation. However, special consent from the guests is necessary 
for the use of said data for electronic connection with the system of the local or regional 
tourist association. In practice, this consent is given in an additional checkbox with 
appropriate information about data processing for this new, different purpose. 


The Ministry of Trade, Tourism, and Telecommunications, as well as the local government 
unit, collect personal data on natural persons who provide catering services in the manner 
prescribed by the Catering Act (Art. 64-69) and PDPA. 
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The processing of personal data is lawful when it is necessary to protect the vital interests of 
the data subject. In tourism, this basis has little application. A possible example in tourism 
practice is information about the guest’s age, physical ability or eating habits in the event of 
a medical emergency. 


The processing of personal data is also legal if the processing is carried out for the purpose of 
performing tasks in the public interest or for the purpose of exercising the powers prescribed 
by law. This basis for the processing of personal data would exist in the event that the local 
government transfers the obligation of guest registration to the local tourist association. 
Guest data in this case would be processed by the local tourist association for the purpose of 
performing tasks in the public interest. A contract between the local self-government and the 
corresponding tourist association is necessary for the execution of works in the public 
interest in the above given example. 


Personal data must be processed fairly. The principle of fairness aims to direct all those who 
apply legal norms to take care of every processing, which means that facts and norms are 
interpreted and applied according to the circumstances of each specific case (Andonovi¢é & 
Prlja, 2020, p. 56). Responsible persons should process other people’s personal data with full 
care and respect. An example from tourism practice is a questionnaire that a tourist fills in at 
a tourist association and that is forwarded to accommodation facilities in a certain tourist 
region without their consent in order to send them suitable offers. Instead, it is in the interest 
of the guest that the tourist association sends him collective offers of accommodation 
facilities, without the need to send his/her data to various tourist companies in the region. 


The principle of transparency allows citizens to be aware of all activities related to their 
personal data. In essence, transparency means that the processing of personal data is carried 
out in a way that is understandable to the data subject (Kastelitz, 2016, p. 100). For example, 
a person who fills out a questionnaire on a tourist site directly from the questionnaire should 
be clear to whom the questionnaire is intended, to whom it can be transmitted, for what 
purposes the questionnaire data can be used, i.e. for what other similar purposes it can be 
further used. 


Personal data CAN only be collected on the basis of the reasons provided for in advance by 
law. In other words, personal data cannot be collected before there is a need for their 
processing. Limitation in relation to the purpose of processing is one of the central principles 
of European data protection law. Our PDPA stipulates this principle in Art. 5, Paragraph 1, 
Point 2. The reasons for processing personal data must be stipulated in advance by law. In 
certain exceptional situations, personal data may be used for purposes other than those for 
which they were originally collected. It is a condition that other purposes are compatible with 
the original purpose of data collection. If this compatibility cannot be established, data 
processing for other purposes is permitted only with the express consent of the processing 
subject. For example, specific consent or other legal basis is required to send informational 
brochures or postal Christmas cards to hotel guests. 


When there is a need to process personal data from citizens, only those data that are essential 
for achieving the purpose of the processing can be requested. For example, on a tourist 
website, in the questionnaire about available rooms or apartments, the user should not be 
asked in the mandatory field, e.g. about his occupation. 


The principle of accuracy means that data stored in databases must be updated and 
harmonized with changes in the factual situation (Voigt & Bussche, 2017, p. 91). However, 
in certain situations it is necessary to save information that has been determined to be 
incorrect. For example, in specialized hotels that provide medical services, a person’s 
medical record may contain a diagnosis that turns out to be incorrect. Regardless of the fact 
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that this information is not correct, it will be kept because it is necessary for the further 
treatment of that person. Of course, in the appropriate place, it is necessary to make a note 
about the inaccuracy of certain data. 


The storage of personal data is limited to the time that is really necessary to achieve the 
purpose of processing. Data that are no longer necessary must be deleted. Deleting 
unnecessary data reduces misuse and inaccuracies of data stored. The PDPA sets out the 
reasons for which personal data may be stored for longer than the purpose for which the data 
was collected. These are the following reasons: archiving in the public interest, processing in 
the interest of historical or scientific research. The period of storage of personal data is easy 
to determine in those cases where the legal basis for the storage of personal data and the 
erasure period derives from the law (Hotzendorfer et al., 2018, p. 58). In the tourism sector, 
there is no legitimate interest in storing an email address after sending a brochure ordered by 
a client via e-mail. 


When processing personal data, processors can find out important information about the life 
of the individual whose data is being processed. Loss, destruction or misuse of personal data 
by third parties could cause negative consequences for the rights and interests of the person 
whose data is being processed, as well as those close to him. For example, information about 
the tourist destination where the clients of a travel company rest and the vacation period is 
leaked to the public, which can cause harmful consequences for the rights and interests of the 
clients of that company. Data processing must be secure and secured by special measures 
that protect against unauthorized access and misuse (Voigt & Bussche, 2017, p. 92). 


Personal data must not be accessible to unauthorized persons. An example of the disclosure 
of personal information in tourism is a list of travelers that is available to a tour guide 
(Kedzior & Sadowska, 2019, p. 77). In certain situations, it is necessary for the guide to call 
the passengers. However, it can be disputed here whether the guide is allowed to read the 
passenger list out loud. Practice on this matter has not yet been established. Bearing in mind 
that for security reasons the guide reads the list of passengers he received from the tour 
operator, we believe that in this case the guide does not violate the rules on the protection of 
personal data. 


3.2. Special categories of personal data 


There are categories of personal data that may not be processed as a rule. It is about personal 
data that enjoys a higher degree of protection compared to the protection that is usually 
provided to personal data. This type of personal data refers to characteristics of a strictly 
personal nature, the violation or misuse of which may have negative consequences for the 
natural person to whom they relate. This group includes data related to: racial or ethnic 
origin, political opinion, religious or philosophical belief, membership in a trade union, 
genetic and biometric data, data on health or data on the sexual life or sexual orientation of a 
natural person (PDPA, Art. 17, Par. 1). 


Special categories of personal data are regularly processed in the tourism industry. Primarily, 
it refers to health data. Health data contains information about the “physical or mental health 
of a natural person, including data on the provision of health services, which reveal 
information about his health condition” (PDPA, Art. 4, Par. 1, Point 16). The Court of Justice 
of the EU interprets the concept of health data very broadly, which, according to this court, 
refers to all information that affects all aspects of human health - both physical and 
psychological (H6édl, 2018, p. 26). Data on food allergies and intolerances of guests, which 
are generally regularly recorded in the hotel and catering industry, also belong to health data. 
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There are several situations in which the processing of special types of personal data is 
permitted. The first situation is the consent of the person whose data is in question. Another 
case is that the vital interests of the individual require the processing of his personal data. In 
tourism practice, the processing of health data is carried out only if the person to whom the 
data refer has given consent to the processing. Data on food allergies and intolerances are 
most often of vital importance for the health of the person to whom the data refer. Therefore, 
these data can exceptionally be processed without the express consent of the person to whom 
these data refer (PDPA, Art. 18, Par. 1, Point 2). 


In addition to health data, a special type of data that is processed in the tourism industry is 
data on sexual orientation, that is, the life of a certain person. An example of this is the 
registration for an event that is expressly organized for persons of homosexual orientation, 
based on which a conclusion can be drawn about the sexual orientation of those present at 
that event. 


3.3. Rights of natural persons concerning personal data 


The PDPA regulates institutes and issues of importance for the protection of personal data in 
Serbia. As special rights related to the protection of personal data, the Law singles out: the 
right to information, the right to correction, the right to be forgotten, the right to limit 
processing, the right to transfer data, and the right to object (PDPA, Art. 21-40). 


The right to information gives individuals the opportunity to obtain information on all 
matters related to the processing of their personal data (Davinic, 2018, p. 52). PDPA 
envisages the right to be notified by art. 23 determines the range of information provided to 
the person from whom personal data is collected. The right to information provides data 
subjects with transparency regarding their personal data being processed. In this context, a 
natural person has the right to information on whether the processing of his personal data 
was carried out in a clear and comprehensible form, in writing, orally or electronically. The 
information must be provided electronically if the request for information is submitted 
electronically (e.g. by email). Exceptionally, the answer can be given in a different form only 
if the person concerned agrees to it (Feiler & Horn, 2018, p. 85). Especially in the case of 
giving information orally, the identity of the person requesting the information should be 
checked before giving the information. The data must not be given to a person who is not 
authorized to receive the information. Otherwise, the principle of data confidentiality would 
be violated. On the other hand, it should not be unnecessarily difficult for a certain person to 
exercise his right to information (Haidinger, 2016, p. 126). However, if, for example, a 
person requests information via e-mail about the saved data about the use of his electronic 
guest card during the last holiday and mentions only his name and the holiday period, the 
identity of this person should be verified with additional authentication measures, provided 
that the guest is not clearly identified in the system guest’s electronic cards via the e-mail 
address. 


The right to correction and addition of personal data is regulated in Art. 29 PDPA. The right 
to correction is based on the fact that every natural person has the right to request the 
correction of incorrect or inaccurate personal data. Correction is required from the person 
who stores and uses the data. In addition to the correction, natural persons can also request 
the addition of personal data. Personal data is used daily in the tourism sector for 
identification, the conclusion of contracts, and realization of various tourist services. A 
natural person has the right to request the responsible person to immediately correct incorrect 
data or to request the completion of incomplete data. For example, if a name is misspelled in 
a holiday reservation, the person responsible is obliged to correct this information. A correct 
and up-to-date database is also in the interest of responsible persons. 
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A natural person has the right to request the responsible person to delete his personal data in 
the cases prescribed by the PDPA in Art. 30, Paragraph 2, Points 1-6. For example, the 
purpose for which the data was collected has been achieved or the data processing has been 
carried out in violation of the law. In addition, it may happen that a natural person withdraws 
consent to processing. In all these cases, the person whose data is in question can request the 
deletion of the data. According to the law, tourist companies are obliged to store certain 
personal data, e.g. documents used in accounting. This means that the guest cannot request 
the deletion of personal data stored in the hotel’s accounting (e.g. booking confirmation and 
hotel invoice). The request for deletion of this data can be rejected with reference to Art. 12, 
Paragraph 1, Point 5 PDPA. The request for deletion can also be rejected if the processing of 
personal data is a necessary condition for the realization of the legitimate interests of the 
responsible person. For example, if incidents occurred during the stay at the hotel that could 
justify a claim for damages by the hotel against the guest, the guest’s request for deletion of 
personal data may be rejected with reference to Art. 12, Paragraph 1, Point 6 PDPA. 


A natural person has the right to request that the processing of his/her personal data be 
limited by the responsible person if one of the cases stipulated by the PDPA in Art. 31, 
Paragraph 1, Points 1-4. One of those reasons is that the personal data are no longer 
necessary for the responsible person to achieve the purpose of the processing, but the person 
to whom the data refers has requested them in order to submit, exercise or defend a legal 
claim. For example, a hotel has filed a claim for damages against a hotel guest. The guest has 
the right to object to the deletion of any video material from the hotel, if he believes that the 
video material could serve as evidence in the court proceedings the hotel is conducting 
against him. 


The right to data portability gives citizens the opportunity to demand that the entity that 
disposes of their data transfer it to another entity. In the tourism sector, this right does not 
have much importance, except in some exceptional cases. For example, the guest has the 
right to request that the hotel transfers his personal data in case he decides to change hotels. 


PDPA in Art. 37 regulates the right to a remedy. Every person has the right to object to the 
processing of personal data relating to him. The right to object is of great importance in the 
tourism industry, especially in direct marketing, i.e. advertising. 


4. Rights related to automatic processing of personal data 


The development of modern technologies has led to the “independent” operation of 
computers. Computer programs that automatically predict results have proven to be useful 
tools in making various business decisions, remediating economic losses, and in the 
decision-making process in everyday matters. Automatic decision-making is used in finance, 
education, medicine, tourism, and many other areas. 


Artificial intelligence technology (hereinafter: AI) has, among other things, the ability to 
predict, i.e. give recommendations. This ability is based on the ability to use information, 
that is, data to classify and evaluate different individuals. Thanks to AI, business entities can 
adapt their products or services to each individual. Unlike traditional software, AI 
technology can even predict the behavior of individuals. Thanks to this, business entities can 
provide and improve the range of their products and services, adapting them to the habits and 
needs of individual clients. 


AlI-based personalization has the power to improve the quality of travel services as well. 
Travel companies can use AI to offer their customers personalized recommendations for 
their services. Namely, tourists are increasingly searching for tourist destinations online, 
booking travel and accommodation. As a result of this growing trend, tourism companies 
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have new ways i.e. chances to connect with customers. Thanks to Al-based personalization 
travel companies can adapt their services to suit the requirements, habits, and preferences of 
each customer. 


AI can generally be used to customize the user experience as it can collect, analyze and 
combine large amounts of data from different sources. Thanks to this, AI can be more 
effective than traditional personalization techniques. However, Al-based personalization has 
its drawbacks. Namely, successful personalization requires high-quality data. If the data is 
missing or incorrect, AI can make recommendations and offers that do not match the 
individual profile of the client, i.e. it can give results that can lead to unjustified divisions 
between people, discrimination, labeling of people, and similarly. On the other hand, entities 
including travel companies that want to increase personalization must take into account the 
privacy of clients, i.e. comply with regulations on the protection of personal data. Excessive 
personalization can negatively affect the user experience. Despite the challenges, Al-based 
personalization is being used in the tourism sector to understand user habits and needs in 
order to generate personalized travel service recommendations with greater precision. In the 
tourism sector, especially in smart tourist destinations, chatbots, and virtual assistants are 
popular that answer the queries of individuals, help them find their way on a certain website, 
and suggest personalized services (accommodation, transportation, destinations) that clients 
might be interested in (Masseno & Santos, 2019, p. 8). Thanks to data such as travel history, 
purchase history, and loyalty program status, the AlI-based system will provide personalized 
offers according to the budget and habits of individuals. 


AI has the potential to improve not only the quality of business but also the quality of 
people’s lives. However, Al-based personalization opens up a dilemma — how and where to 
draw the line between personalization and privacy? In order to protect citizens from the 
unwanted consequences of automatic decisions by computer programs, data protection 
systems recognize citizens’ special rights in relation to such decision-making. This is also the 
case with the legal system of Serbia, in which the right of a person to decide whether a 
decision made solely based on automatic processing of personal data will be applied to him 
is guaranteed, i.e. from the processing done by the computer program (Art. 38, Para. 1 
PDPA). The decision must have a certain legal significance, so only those decisions that 
produce legal consequences or that significantly affect the rights and interests of a certain 
natural person are taken into account. 


In addition to automatic data processing, citizens have the right to decide whether decisions 
based on “profiling” will be applied to them. Profiling is defined as “any form of automated 
processing that is used to assess a specific personality trait, in particular for the purpose of 
analyzing or predicting a natural person’s work performance, economic position, state of 
health, personal preferences, interests, reliability, behavior, location or movements” (Art. 4, 
Paragraph 1, Point 5 of the PDPA). 


Health tourism can be cited as an example of decision-making based on profiling and 
automatic data processing. Computer programs in healthcare can classify a certain person in 
the category of persons most susceptible to thyroid disease and who is _ therefore 
recommended to stay at Zlatibor in Cigota - the Specialized Hospital for thyroid diseases. 
This profiling does not mean that the person already suffers or will suffer from thyroid 
disease. Aware of the need for special nutrition for thyroid patients, Cigota Specialized 
Hospital provides personalized meals in accordance with the health condition of the patients 
(Masseno & Santos, 2018, p. 127). 


The person whose data is used in automatic data processing must have the opportunity to 
express his position regarding the specific decision, as well as to invest in legal remedies if 
he believes that the decision is not correct or legal. However, the operator must also take 
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adequate measures to protect the rights and interests of the person whose data is used in 
automatic data processing, such as the inclusion of the human factor in the control of the 
automated processing process. 


Thanks to this right, citizens have the opportunity to decide independently whether to accept 
personalized results that are obtained based on automatic data processing. In this way, the 
basic principles of personal data protection, such as transparency, legality of processing, and 
protection of the legitimate interests of the person whose data is processed, are realized. 
However, in certain cases, citizens cannot avoid the application of the results of automatic 
data processing (Art. 38, Para. 2 PDPA). The first case refers to decisions made based on a 
special regulation that allows automatic data processing. The second case refers to decisions 
that are necessary for the conclusion or execution of a contract between the person to whom 
the data refer and the controller. The third case refers to giving express consent to the 
automated processing of personal data. 


In addition to the contract, the basis for automatic data processing can also be a special 
regulation. In this way, it is possible to enable the automatic processing of personal data as a 
rule in certain cases, when administrative bodies perform important social tasks (such as 
public health or national security). However, the regulation that allows automatic data 
processing must be specifically explained, based on the legitimate expectations of citizens 
and in accordance with the data protection system. 


5. Results and discussion 


The topic of personal data protection is a challenge for many travel companies. Travel 
agencies, caterers, as well as travel and accommodation booking platforms process a large 
amount of data every day. In accordance with the regulations on the protection of personal 
data in tourism business, it is important that personal data is inaccessible to others. With the 
constant traffic of tourists reigning in tourist facilities, data should be well secured. 
Therefore, tourist entities should first of all protect their computers from access by others. 
Secure passwords and a good firewall form the comerstone of IT security in tourism. In 
addition, very simple things, such as a privacy screen on the computer that blocks the view 
of other guests’ reservations, should be a standard in tourism. However, in addition to the 
protection of digital data, it is important to implement protection when collecting analog 
data. Despite the fact that more and more work is done digitally and that the protection of 
personal data is often equated with the protection of digital data, handwritten data must also 
be secured. In this sense, cabinets or offices must be locked and documents must not be 
visible at the reception desk. In general, reception and reservations are the key factor to data 
protection. In many cases, the so-called tourist tax must be paid. It is not uncommon for there 
to be forms that must be filled out manually when signing up. And this data must be 
protected, i.e. provide in an adequate manner. 


The implementation of regulations on the protection of personal data in tourism is no 
different from other business areas. A special challenge in meeting the requirements for the 
protection of personal data exists on the part of international companies. Namely, hotel 
guests are often people with foreign citizenship. In this sense, it is necessary that the 
obligation to notify and statements on data protection be available at least in English. This is 
the only way to ensure that all interested parties can exercise their data protection rights and 
understand the purpose of their data collection. 


The protection of personal data also applies to online platforms. Therefore, if the reservation 
of travel, accommodation, etc. is performed through an external booking platform, it must be 
checked in any case to what extent a contract for the processing of personal data is necessary 
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in the sense of Art. 45 PDPA. In addition, it is important that data is sent only through secure 
and encrypted access. However, the processing of personal data is not only a process carried 
out during a reservation or enquiry. Each collection, for example, of a potential customer’s 
IP address, each cookie setting and related data processing constitutes a collection of 
personal data that is subject to personal data protection. Therefore, travel companies are 
obliged to use their website in accordance with the regulations on the protection of personal 
data. 


Personal data is not processed only when booking and checking in to a hotel or apartment. 
Video surveillance is a classic example of the further collection of personal data. 
Photographs may also constitute personal information if the person concerned is clearly 
identifiable in the image. Recording of any kind is part of the processing of personal data. 
Numerous tourist facilities, primarily hotels, use surveillance cameras citing a legitimate 
interest, such as the safety of employees, protection against burglary, and protection of 
property or vandalism. A clearly visible sign must be placed in front of the area monitored by 
the camera, indicating that the area is being monitored. 


6. Conclusion 


The PDPA contains the rules and basic institutes within the personal data protection system 
in Serbia. This law has largely aligned personal data protection standards with GDPR as a 
regulation that has direct application in all EU member states. However, data protection rules 
and institutes can also be found in other regulations that govern specific areas of social life. 
In the tourism sector, these are the provisions of the Law on Tourism (Articles 113-118) and 
the Law on Hospitality (Articles 64-69). 


Travel companies collect various personal data in their work. Despite the fact that the 
domestic and European regulations on the protection of personal data contain certain legal 
gaps, most companies, including tourist companies, have learned to act appropriately in 
relation to the application of the regulations on the protection of personal data. However, 
adaptation of all companies, including tourist companies, to the rules and requirements on 
the protection of personal data must be done continuously. Every day, various entities collect 
large amounts of personal data, store them in large databases and process them. With the 
growth of collected data, the danger of its misuse has also increased. In addition to an 
effective legal system for the protection of personal data, it is extremely important to 
establish high-quality personal data security measures. These measures must also be 
implemented in the tourism sector. Employees in the tourism sector must have good self- 
control skills. In addition, continuous practical training in the field of personal data 
protection is necessary. In this sense, this paper represents a contribution to raising 
awareness and understanding of the meaning and purpose of personal data protection in the 
tourism sector. 


In general, many open questions related to the protection of personal data will be clarified by 
case law. In the field of electronic communication, it can be expected that the planned new 
EU Directive on e-Privacy will create significantly more legal certainty in the field of 
personal data protection on the Internet. Namely, this Directive is primarily intended for 
companies operating in the digital economy and specifies additional requirements that these 
companies should fulfill in connection with the processing of personal data. 
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